Re: Email injection ... What's wrong ?

Sun, 19 Feb 2006 17:27:52 -0800 

Batiste wrote:
> Hello, I have some spam incoming in my mailbox... The send_mail
> function has to be protected ... What's wrong with my code ?
>
> def sendMail(request):
>     from django.core.mail import send_mail
>     if(request.POST.has_key('email')):
>         email = request.POST['email']
>     else:
>         email = '[EMAIL PROTECTED]'
>     if(send_mail(request.POST['sujet'], request.POST['message'], email,
>     ['[EMAIL PROTECTED]','[EMAIL PROTECTED]'], fail_silently=True)):
>         return HttpResponseRedirect('/contact/ok/')
>     else:
>         return HttpResponseRedirect('/contact/fail/')
>
>
> I suspect there is a header injection because I receive this kind of
> mail :
>
> grave
> Content-Type: multipart/alternative;
[snip]
> Somebody can help me ?

Hello Batiste,

I guess there's nothing wrong with your code.

from djang.core.mail's code:

class SafeMIMEText(MIMEText):
    def __setitem__(self, name, val):
        "Forbids multi-line headers, to prevent header injection."
        if '\n' in val or '\r' in val:
            raise BadHeaderError, "Header values can't contain newlines
(got %r for header %r)" % (val, name)
        MIMEText.__setitem__(self, name, val)

we can see that it prevents only multiline *header injection*, which
could be use to fake the header's "from" to make the recipient believes
that the mail comes from A, however it actually comes from spammer B.

There's no spam filtering function in django's mail functions, and I
think it's not django's job  :)

So, spammers can still throw the garbages into your
request.POST['message'] and send it to you ;)

In my opinion, you may do some filtering job to the
request.POST['message'] to identify spams and drop them before sending
it to you mailbox.

HTH.

- Eric


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/django-users
-~----------~----~----~----~------~----~------~--~---

Reply via email to